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1 . 0 INTRODUCTION 

1.1 Purpose 

This document provides a chronological summary of the tasks 
performed on the Integrated Command, Control, Communication and 
Computation (IC4) System Design Study (Contract NAS5-26689) . 

1.2 Scope 

The IC4 System Design Study was awarded to Computer Technology 
Associates, Inc. in September, 1981. This study was conducted in 
three tasks, as follows: 

a. Task 1: TDRSS Era Command and Control System Study 

b. Task 2: Automating Real-Time Operations Study 

c. Task 3: Image Processing work Plan Study 

The results of the TDRSS ISra Command and Control System Study 
were documented in References 1 and 2. The results of the 
Automating Real-Time Operations Study were documented in 
Reference 3. The Image Processing Work Plan Study was added to 
the IC4 contract at the request of NASA Headquarters. The 

results of this task were transmitted to NASA Headquarters and 
are not included in this document. This report provides a brief 
synopsis of the activities and results of the three study tasks. 
For specific details concerning the individual tasks, refer to 
the referenced documents . 
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1.3 ACRONYMS AND ABBREVIATIONS 
DOC Data Operational Control 

DSM Data system Modernization 

ERBS Earth Radiation Budget Satellite 

FY Fiscal Year 

(3STDN Ground Station and Tracking Data Network 
H/W Hardware 

IC4 Integrated Command, Control, Commc«ni cat ions and 

Computation 

MMI Man“Machine Interface 

MSOCC Multi-satellite Operations Control Center 

NASCOM NASA Communications 

NEEDS NASA End-to-End Data System 

POCC Project Operations Control Center 

R"T Real-Time 

SME Solar Mesospheric Explorer 

SMM Solar Maximum Mission 

STOL System Test and Operations Language 

S/W Software 

TDRSS Tracking Data Relay Satellite System 

TELOPS Telepetry On-Line Processing System 

TIPIT TDRSS Interface Preprocessor Into TELOPS 


2.0 APPLICAi^LE DOCUMENTS 

X . J5SEC CflPimand aM .c.onixQl F.unq.ti.onal AnaXya-la. E£P5iit,f 
Computer Technology Assoc, iatesr Inc., October 31, 1981. 

2 . NEEDS £haaa 3. T.e.Chng.lQ.gi: Repaid, computer Technology 

Associates, Inc., October 31, 1981. 

3. Recommendations £p£ Automating Real-Time. Qpera . t i. fin a, 
Computer Technology Associates, inc,, November 8, 1982. 

4. IC4 System Design Study Progress Reports. 

5. IC4 S ystem Fuagtifinal Af fihi te.C.tUX.e , computer Technology 
Associates, Inc., August 17, 1981. 

6. Mitchell, Chris, "Human-":.jhine interface issues in the 
Multi-Satellite Operations Control Center-1", NASA 
Technical Memorandum 83826, August 1981. 

7 . Automated MSOCC-1 DOC System Study Task Summary Report (B83- 
D-17400-04), June, 1981. 

8. Minutes for Operations Planning Preliminary Design Review, 
DSM Project. 

9. Computer Program Product Specification for DSH/Commanding 
Computer Prograr , 

10. Computer Program Product Specification for DSM/Mission 
Control Complex Management Computer Program. 

11. DSM Operations Concept. 

12. Computer Program Product specification for DSM/Display 

Management Computer Program. 

13. Computer Program Product Specification for DSM/Common 

Services Computer Program. 
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3.0 TASK 1 RESULTS: TDRSS ERA COMMAND AND CONTROL SYSTEM STUDY 

The purposes of this task were as follows: 

a. Define the GSPC TDRSS era command and control system 
functions , 

b. Determine potential areas for introduction of automated 
technology, alternative procedures and alternative 
design which will improve performance and reduce cost 
of the command and control process, 

c. Recommend specific technology efforts to be pursued 
during NEEDS Phase 3. 

This task was conducted in two subtasks. In Subtask 1, a 

functional breakdown of the command and control system was 
provided, and cost and performance factors were applied to this 
functional structure. In Subtask 2, the NEEDS Phase 3 technology 
effort in the command and control area was defined. The results 
of these two subtasks are summarized below. 

3.1 COMMAND Al>’/D CONTROL SYSTEM FUNCTIONAL STUDY 

The GSFC Command and Control System Functional Study was 

performed to define the TDRSS era command and control system 
functional breakdown and to apply cost and performance factors to 
this functional structure. The purpose of this activity was to 
determine the major command and control cost drivers and to 
specify functions requiring further analyses and development 
within the NEEDS Phase 3 arena. As summarized in Reference 1, 

command and control costs (FY 1983 projections) were examined for 

the following GSFC institutional and project related aras: 

a. Project Mission Operations. 

b. Mission and Data Operations. 

c. Networks. 

The following information was provided as part of the analysis 
for each of these areas: 

a. Total cost of each function for FY 1983. 

b. The percentage of cost allocated to command and 
control for that function. 

c. The actual command and control cost. 

d. Development or o*,ie time only costs versus recurring 
costs . 
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Project Mission Operations costs were analyzed for three GSPC 
missions (DErSMM,ERBS) to determine the number of personnel 
supporting command and control functions. Mission and Data 
Operations costs were provided for the following areas: 

a. Mission Operations. 

b. Programming, Computation and Analysis Operations. 

Command and control costs v^^^re also provided for the following 
Network areas: 

a. GSTDN Operations. 

b. TDRSS Operations. 

c. Laser Tracking Subnet. 

d. Opp/rational support Computing. 

e. NASCOM Operations, 

Cost data for each of these areas and cost data summaries are 
summarized in Reference 1. The results of this analysis indicated 
that relative to command and control costs, GSTDN operations and 
Mission Operations are the major cost drivers. However, it was 
felt that relative to NEEDS GSTDN operations were adequately 
being addressed by Code 800. Consequently, the emphasis within 
the NEEDS command and control area was centered primarily around 
Mission Operations as summarized in Section 3.2 below. 


3.2 RECOMMENDED NEEDS PHASE 3 TECHNOLOCy EFFORTS 


The purpose of this subtask was to analyze cost, performance and 
mission drivers to determine the recommended emphasis of the 
NEEDS Phase 3 technology efforts in the command and control area. 
Reference 2 summarized the results of this subtask and completed 
the TDRSS Era Command and control System Study, 

In Reference 2, the following command and control tasks were 
recommended: 

a. Operations Concept for Automating Real-Time Operations. 

b. Operations Concept for Command Generation. 

c. Operations Concept for Scheduling TDRSS Support. 

d. User-Computer Interaction Demonstration System, 

e. Ground-Space Control Trade-Off Study. 

f. Project Management Guidelines for Prelau'-ich Test and 
Integration. 

For each of these tasks, the purpose, number of phases {or 
subtasks) , phase descrxptxcn, output, and level— of— effort were 
defined. The detailed task descriptions are contained in 
Reference 2. 
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4.0 TASK 2 RESULTS: AUTOMATING REAL-TIME OPERATIONS STUDY 


As a reti’ult of the TASK 1 effort, the IC4 contract was redirected 
to analyze real-time command and control operations to 
identify and recommend functions suitable for automating. 
The effort to conduct this task centered around two areas of 
activity. One, to evaluate the real-time operations, information 
was obtained that was useful for the GSPC Human Factors Working 
Group, particularly on the ERBS project, and this data was 
presented to the Human Factor Working Group and at the Human 
Factors workshop held at GSFC in May, 1982. The second area 
included the actual analysis of real-time operations to recommend 
functions suitable for automation, as defined in the statement of 
Work. These two areas are summarized separately in Sections 4.1 
and 4.2 below. 

4,1 HUMAN FACTORS WORKING GROUP SUPPORT 

To analyze ERBS real-time operations, technical interchange 
meetings were conducted with ERBS personnel. The purpose of 
these discussions was to review the ERBS cciamand panel and the 
ERBS contact events. As a result, an ERBS contact scenario was 
developed and presented to the Human Factors Working Group. 
Appendix A of this document contains this scenario which defines 
real-time events, displays, and manual (operator 1 and 2) and 
automatic actions. In addition to the contact scenario, a 
critigue of the ERBS command panel was generated. This critigue 
is contained in Appendix B. 

In support of the Human Factors Workshop held May 26, 1982, a 
presentation entitled "A Case Study of a System Engineered for 
Control by Humans" was delivered. Appendix C contains the report 
summarizing this presentation. In brief, the recommendation is 
made that future operations be system engineered to implement a 
real-time health and safety operational philosophy called the 
"watchman concept". The essence of this concept is to provide 
information that identifies problems, not data, and to provide 
on-board safing to protect hardware and contain the problem to 
the failed component. An operator friendly approach to 
contingency design is recommended where information is presented 
in a format that the less experienced operator can readily recog- 
nize and react to system problems. An approach to displaying 
information is presented in the form of a star icon. This type 
of display presents information which provides "the watchman" 
type operator with a clear indication of a problem and provides a 
second level of information detail as to the nature of the 
problem. 
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4.2 RECOMMENDATIONS FOR AUTOMATING READ-TIME COMMAND AND CONTROL 
FUNCTIONS 

The purpose of this effort was to analyze real-time mission 
operations, identify functions currently being performed, and 
define real-time functions suitable for automating. Three 

missions (SMM/ ERBS, and SME) were selected as example missions 
to use in conducting the analysis. The following eight 

operational areas were defined and examined in detail for the 
three missions; 

a. Routine spacecraft status and monitoring. 

b. Presenting alarms to the operator. 

c. Response to alarms. 

d. Real-time science data monitor and response, 

e. On-board spacecraft accommodation. 

f. Pre-pass preparation. 

g. Pass operations, 

h. Post-pass operations. 

For each of the major areas, a one-to-one comparison of functions 
was generated to define the current or planned mode of operation 
for each mission. Based on this comparison, considerations for 
automation were identified for each operational area. Potential 
techniques for implementing the automation were then identified, 
and cost, performance and personnel issues were addressed for 
each function. Based on this analysis, recommendations for 
automating real-time functions were generated. 

Key automation considerations identified as a result of the SMM- 
ERBS-SME analysis include: 

a. Provide real-time trend plotting and analysis programs to 
support routine spacecraft status and monitoring. With this 
feature the operator would have the capability in real-time 
to request plots of any telemetry point or to execute on- 
line analysis programs, 

b. Provide automatic response to selected anomalies by 
transmitting precanned commands upon detection of the 
anomaly by the ground system. Allow the acceptable set of 
automatic responses to increase as the mission matures. 

c. Provide the capability to pre-define branch points in the 
uplink process and to automatically select and execute the 
appropriate branch based on the downlink telemetry data. 
This capability supports real-time science data monitor 
and response and spacecraft pass operations. 
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d. Provide the capability to add automated functions on- 
board as a mission progresses. Candidates for on-board 
automation would include automatic responses to selected 
anomalies where the automatic response has been occurring on 
the ground but with confidence in its execution the 
automatic response to the anomaly is placed on-board the 
spacecraft. 

e. Provide the capability to automatically execute the pass 
plan with operator intervention in event of anomalies or as 
required for selected pass activities. 

The capability currently exists or is used (anticipated) for many 
of the automation considerations identified. However, cartain 
characteristics are inherent in the current system that affect 
the amount of automation that will be incorporated in future 
operations. For example, 

a. The operator is always in the loop to make decisions and 
take action. In many cases operator action is essential to 
spacecraft command and control operations. However, in 
selected instances, the ground system could make the 
decision based on telemetry data and automatically take the 
appropriate action. 

b. With the operator always in the loop, there is the 
potential for operator errors. For routine operations where 

ground system can make the proper decisions and take 
r^ition, the chance for errors could be minimized. 

c. The potential of over-loading the real-time system 
may limit automated capability or imply need for increased 
computing capability, 

d. Many projects incorporate selected automation but these 
innovative ideas and implementation techniques are not 
necessarily shared between missions. 

e. Operational costs often exceed development costs. For 
long term missions, system life cycle costs could be 
reduced by increasing the amount of operational automation 
(ie, software) and ultimately development costs, but over the 
life cycle of the mission the costs would be reduced. 


As a result of the IC4 analysis, the following recommendations 
are made relative to automation in the future: 

a. Develop and test an automated pass plan that controls 
execution of all pass functions". Incorporate expert 
system/decision aid technology to implement this system to 
provide the automation considerations, to provide capability 
to increase automation as a mission progresses, to allow 
user interaction where necessary and to provide consistent 
capabilities between missions. Evaluate high order 
languages as a means of providing the user/ operator 
interface with the automated pass plan. 

b. Provide real-time science/subsystem user interaction to 
select pre-canned commands or pre-defined branch points in 
the uplink operations. Evaluate remote user operations for 
interacting with the real-time system. 

c. Evaluate and develop expert systems to support anomaly 
investigations and to ultimately support real-time 
spacecraft evaluatiojis. 

Based on these automation recommendations, the following options 
are suggested as the logical continuation of the IC4 effort: 


a. perform a detailed requirements analysis for automated 
operations. This analysis would include generation of an 
Operations Concept and Requirements Document summarizing the 
operations philosophy for implementing automated operations. 
It is recommended that two techniques for implementation be 
analyzed in depth as part of this effort: a STOL based 
implementation and an expert system/decision aid 
implementation using a high order language for the user 
interface. 


b. Evaluate the technique for implementing automated 
operations whereby a "front-end" processor provides the user 
interface and analysis without impact to the current real- 
time system. This processor could provide the automation 
using either of the implementation techniques described in 
item (a) above. 


5.0 TASK 3 RESULTS: IMAGE PROCESSING WORK PLAN STUDY 

In July, 1982, a third task was added to the IC4 contract at the 
request of NASA Headquarters, The purpose of Task 3 was to 
develop a work plan and schedule for defining critical image 
processing needs at the Jet Propulsion Laboratory, for iisseseing 
alternatives means of meeting these needs, and for supporting 
design and development of a recommended image processing system. 
The results of this task were transmitted to NASA Headquarters. 
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Foreword 


This critique of the ERBS Command Panel Functional Design has 
been prepared by Computer Technology Associates, Inc., Denver, 
Colorado, under the 1C** System Design Study Contract, NAS5-26689 
for NASA Goddard Space Flight Center (CSFC) . 



1,0 Introduction 


1.1 Purpose 

This critique is for use as an evaluation tool in the human 
factors analysis being conducted by the Human Factors Group of CSFC. 

1.2 Scope 

This critique is a brief assessment of the advantages and disadvantages 
of the current ERBS Command Panel Functional Design as documented 
in '•Command Panel Functional Specification," BFEC, March 1982. In 
addition, clarification of technical details was accomplished in informal 
Interchange meetings with Mr. Steve Miles of BFEC on March 5, 10 and 
30, 1982. 

2.0 Critique 

2. 1 Advantages 

The salient advantages of the command panel concept are the 
retively simple man-machine interface provided and the consolidation 
of many indications into a single work station /terminal. 

2.1.1 Man-Machine Interface 

The command panel concept allows the use of graphics techniques, 
colors, and positive operator selection authority to optimize human 
factors considerations for the man-machine Interface. Graphics techniques 
are employed in the command panel for the matrix layouts and alpha- 
numerics, yielding a flexible format capability with variable line weights, 
type styles and sizes, and scrolling for the pass plan matrix. Colors 
are used to represent selections, alarms and status throughout. The 
light emitting diode (LED) matrix overlay requires the physical interrup- 
tion of the beams in the matrix to cause a selection to be made. 

2.1.2 Single Work Station /Terminal 

Many indications normally dispersed throughout several display 
pages in a traditional MSOCC environment are incorporated into the 
command panel. Alarm indications are provided for spacecraft and 
NCC/TDRSS anomalies and a command reject indication resp>onds to 
application processor detected rejects. Several Sines at the top of 
the display are reserved for a STOL syntax printout of the procedure 
In progress, and two lines at the bottom are reserved for interactive 
NCC messages. 
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2.2 Disadvantages 

As currently defined, the command panel lacks tactile feedback, has 
an extremely high density layout, offers no Improvement over MSOCC 
standard capabilities for unplanned contingencies and/or backout operations, 
and due to its singularity in the ERBS application, raises reliability /main- 
tainibility /availability concerns. 

2.2.1 Tactile Feedback 

The LED Matrix arrangement offers no tactile feedback to the 
operator. The color change of the '‘button” selected provides the 
only indication of the activation. This could be supplemented by the 
voice synthesizer of other audible cue, but these are not considered 
optimum for routine operations. Also, dependent on the resolution 
of the L^ED fields, inadvertent selections could result from an unsteady 
operator action or parallax error. 

2.2.2 Layout 

The organization of the command panel is cluttered, particularly 
when considering the multiple colors in the high density layout. This 
could lead to confusion or fatigue in operational scenarios, especially 
when stress is a factor. 

2.2.3 Contingency /Backout Procedures 

Under nominal operational conditions the advantages of the command 
panel (Section 2.1 above) can be exploited. In the event of an unplanned 
contingency (one not supported by a procedure in the contingency 
procedures matrix) or a backout operation (one calling for KILLPROC, 
and subsequent directives) the operator reverts to normal MSOCC /STOL 
practices. In these circumstances the command panel has not enhanced 
the level of automation available to the operator, and in fact, requires 
him to either reconfigure the command panel (Invoke "STOL") or switch 
to a different (MSOCC) terminal. 

2.2.4 Reliability /Maintainability /Availability (R/M/A) 

A failure In the command panel system, be it the mircrprocessor, 
terminal, or LED matrix causes an abrupt reversion to normal MSOCC 
practices. The R/M/A statistics for these equipments must be analyzed 
to determine the level of training required to counter the risks 
associated with a rapid turnaround to MSOCC practices, and to 
establish a maintenance and sparing philosophy commensurate with 
the determined criticality of the equipments. 
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3.0 Conclusions 

Since the command panel Is a new development effort in Itself, 
other options should be explored prior to full-scale implementation of - 
the command panel concept. The areas deserving of further study are: 

a. Alternative Graphics: Use of menus, or other illustrative 

representations for information currently contained in the 
five matrices and alarm /reject Indicators. 

b. Operator Input/Output: Use of track ball, light pen, "mouse," 

membrane panel or other selection media. The track bail and 
"mouse" are cursor positioning methods, the light pen and 
membrane panel are direct selection methods. 

c. Enhanced automation: Since the command panel is microprocessor 

based, an investigation of additional tasks that could be per- 
formed automatically (ex: "stepping" to the next procedure in 
the nominal pass plan upon successful execution of the 
preceding procedure). Also, this should Include studying 
shifting of tasks between the ERBS microprocessor, applications 
processor, and command panel microprocessor for load leveling, 
process streamlining (ex: reduced l/G) or other advantages. 
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APPENDIX C 





A Case Study of a System Engineered for Control by Humans 

Joseph H. Rothenberg 
Computer Technology Associates 


Historically, NASA/GSPC unmanned spacecraft command and control 
and health and safety operations have been data and people 
intensive. The increase in spacecraft complexity and the 
resulting increase in data required to establish the spacecraft 
status have made the traditional people intensive command and 
control operation both costly and a higher risk. The increased 
use and capability of on-board computers provides us with the 
opportunity to examine alternatives to the traditional concepts 
for real-time health and safety operations. 

The pitfalls of the conventional contingency planning for health 
and safety are highlighted in Figure 1. The Solar Maximum 
Mission (SMM) contingency planning and operations provide one 
step in the evolution from this conventional people intensive 
health and safety operation toward a "night watchman" mode of 
operations. The SMM spacecraft health and safety operations were 
budget constrained to the point that one week after launch one 
operator was responsible for the health and safety of the entire 
spacecraft. The spacecraft was a protoflight with new subsystem 
configurations, software and procedures, to manage the risks 
associated with this one man SMM health and safety operation, 
real-time contingency planning and operations centered around 
unambiguously identifying a system level problem and reactively 
safing components susceptible to unrecoverable damage. The 
methoddXofy applied to both analyzing and implementing this 
approach for SMM is shown in steps I-V below: 

STEP I. Identify spacecraft and experiment hardware damage 
susceptibility to unpredicted system level states. 

i.e. -Mispointing 

-Unpredicted vehicle rates 

-Computer failure 

-Short on the power system. 

AS a general rule all lower level failures or operator 
errors will manifest themselves into one or more system 
level anomalies. 
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FIGURE Ir. TYFICiVL .CQK!TINfi£N£X QPERAT.IDKfi PROBLEMS 


LARGE CONTINGENCY PLAN IS UNMANAGEABLE 
“TRAINING VERSUS RETENTION 

“PUTS UNFAIR RESPONSIBILITY ON THE HUMAN OPERATOR 
“REQUIRES LARGE COMBINATION OF DATA AND DISPLAYS 
“GENERALLY DOES NOT COVER OPERATOR ERRORS 

MOST FAILURES ARE NOT COVERED IN THE CONTIGENCY PLAN 

TIME AVAILABLE TO RECOGNIZE PROBLEM RANGES FROM LIMITED 
TO NONE 
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STEP II. Identify the minimum information and limit values 
required to unambiguously identify system level 
problems , 

i.e. -p/y and R position 
Hardware/software 
-S/C rates 
Hardware/software 
-S/C currents. 

These may be directly in the data stream or computed 
prior to display, 

STEP III. Identify and allocate the functions and time response 
necessary to contain hardware damage (safe system) . 

i.e. -On-board command response 

-Control center command response time (prime and 
backup) . 

Allocation is based on operational on-board capability? 
time allowed from identification until damage 
irreversible. 

Level of safing is dependent on recovery complexity. 

i.e. -Turn off all instruments 

-Leave computer running but disable command 
function. 

STEP IV. Establish operations policy, procedures and displays 
for health and safety monitoring and contingency 
actions. 

i.e. -Monitor these 20 parameters 

-Get vehicle and instruments safe 

-Issue procedure XYZ anytime mispointed. 

The operator should not be required to assume risk. He 
should be provided with the tools to recognize a 
problem and conservatively respond. Where one time 
science is involved "what if planning" and backup 
personnel should be provided. 
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STEP V. All other subsystem and benign system-level anomalies 
should be categorized and operator responsibilities 
defined. 

i.e. -Unexpected configurations 
-Thermal limits 

The results of this analysis led to providing the SMM health and 
safety operations monitor three levels of anomaly criticality, a 
clear policy, and approximately twenty-nine parameters on two 
displays within which he maintained spacecraft safety. The 
levels of SMM anomaly criticaly and the SMM contingency 
operations policies are provided below. 

Category I Contingency Actions 

0 Safe hardware 

o Analyze problem 

o Stabilize vehicle 

o Notify in-depth analysis 

Category ll Contingency A.ctions 

0 Notify in-depth analysis 

o Analyze problem 

0 Prepare to safe hardware 

Category III Contingency Actions 

o Notify in-depth analysis 

The two displays provided to monitor the twenty-nine parameters 
are shown in Figures 2 and 3. The Flag column would provide the 
operator with an indication of a category 1,2, or 3 severity. But 
more importantly, the operator has instant cognition of a problem 
by simply noting an entry in the flag column. Simple unambiguous 
safing procedures which could be issued safely under any 

conditions were A clear cut simple contingency plan shown in 
Figure 4 was the prime reference for operator safing response. 

The second result from the contingency analysis was the 

indentif ication of those safing actions that were so time 
critical they must be initiated by the on-board computer. These 
were incorporated into the software applications processors. 
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- SMM CATEGORY 1 REAL-TIME CONTINGENCY MONITOR (1 of 2) 
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FIGURE 3 - SMM CATEGORY 1 REAL-TIME CONTINGENCY MONITOR (2 of 2) 
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FIGURE U - REAL-TIME OPERATIONS CONTINGENCY PLAN 



f! 


The successful results of the SMM contingency planning and 
operations implementation provide the basis for further 
simplification of spacecraft health and safety — the ”watchraan 
concept." The basic signal to the SMM monitor that a problem 
existed was his observation of a flag in the last column of the 
two displays shown in Figures 2 and 3. One could easily envision 
extending this concept to elimination of everything on the 
display except the flag column. 

The experience gained on SMM coupled with Increasing operations 
cost and increased use of flight computers, TDRSS, and ground 
system graphics provide the opportunity to re-evaluate health and 
safety operations. The historical evolution of the personnel 
assigned to monitoring spacecraft health and safety presents 
another consideration. Traditionally the "experts" at launch are 
off to their next project and are replaced by pure monitors by 
six months after launch. The personnel exposed to contingency 
training and familiar with the documentation are generally no 
longer around. 

Cost, technology and personnel considerations lead to a 
suggestion that future operations be engineered to implement a 
different real-time health and safety operational philosophy, the 
"watchman concept." The essence of this concept is to provide 
information that identifies problems, not data, and on-board 
safing to protect hardware and contain the problem to the failed 
component , 

Systems engineering for the human function in health and safety 
should consider the operator likely to be in place for the 
routine operation. we need to provide both an operator friendly 
approach to contingency design as well as the information in a 
form that the less experienced operator can readily recognize and 
react to system problems. The star icon in Figure 5 illustrates 
one approach to displaying information which could provide both 
"the watchman" type operator with a clear indication of a problem 
and the experienced operator with the same indication. It also 
however provides a second level of information detail as to the 
nature of the. problem. Either ground or on-board automated 
responses could take the initial safing step. Any change in 
symmetry, color or stability of the star would readily be 
detected. The sample points shown in fact represent those 
category 1 flags shown in the SMM displays of Figures 1 and 2. 

Once the concept of information display is accepted and readily 
recognizable forms of display are developed, the real-time health 
and safety monitoring for many spacecraft simultaneously by a 
"watchman" could be a realizable operations goal for NASA. As 
with today's operations the watchman would call "the expert" as 
soon as he detects an anomaly. 
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The idea can be extended throughout operations. The center 
director could have a bank of screens or even a composite icon 
which at a glance gives him operational spacecraft status. 
Remote experimenters could be given status information in the 
same fashion. Sometime in the future^ night and weekend health 
and safety operations monitoring may even be able to be added to 
the security guards checklist. 


